CVE-2022-39279

Discourse-chat plugin susceptible to XSS in channel name and description

Severity Score

5.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

discourse-chat is a plugin for the Discourse message board which adds chat functionality. In versions prior to 0.9 some places render a chat channel's name and description in an unsafe way, allowing staff members to cause an cross site scripting (XSS) attack by inserting unsafe HTML into them. Version 0.9 has addressed this issue. Users are advised to upgrade. There are no known workarounds for this issue.

discourse-chat es un plugin para el tablero de mensajes Discourse que añade funcionalidad de chat. En versiones anteriores a 0.9, algunos lugares muestran el nombre y la descripción de un canal de chat de forma no segura, permitiendo a miembros del personal causar un ataque de tipo cross site scripting (XSS) al insertar HTML no seguro en ellos. La versión 0.9 ha abordado este problema. Es recomendado a usuarios actualizar. No se presentan mitigaciones conocidas para este problema

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-09-02 CVE Reserved
2022-10-06 CVE Published
2024-04-28 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (2)

URL	Tag	Source
https://github.com/discourse/discourse-chat/security/advisories/GHSA-qp62-8m3c-9jgj	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/discourse/discourse-chat/commit/25737733af48e5b9fa60b0561d7fde14bea13cce	2022-10-11

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Discourse Search vendor "Discourse"		Discourse-chat Search vendor "Discourse" for product "Discourse-chat"				< 0.9 Search vendor "Discourse" for product "Discourse-chat" and version " < 0.9"		discourse		Affected